| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Trying to update the task cred while the task current cred is not the
real cred will result in an error at the cred layer. Avoid this by
failing early and delaying the update.
Signed-off-by: John Johansen <[email protected]>
|
|
Having per policy ns interface files helps with containers restoring
policy.
Signed-off-by: John Johansen <[email protected]>
|
|
This is just setup for new ns specific .load, .replace, .remove interface
files.
Signed-off-by: John Johansen <[email protected]>
|
|
Verify that profiles in a load set specify the same policy ns and
audit the name of the policy ns that policy is being loaded for.
Signed-off-by: John Johansen <[email protected]>
|
|
Store loaded policy and allow introspecting it through apparmorfs. This
has several uses from debugging, policy validation, and policy checkpoint
and restore for containers.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Policy management will be expanded beyond traditional unconfined root.
This will require knowning the profile of the task doing the management
and the ns view.
Signed-off-by: John Johansen <[email protected]>
|
|
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available.
Signed-off-by: John Johansen <[email protected]>
|
|
Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available and checking
that the user namespace level is the same as the policy ns level.
This strict pairing will be relaxed once true support of user namespaces
lands.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
This is prep work for fs operations being able to remove namespaces.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Borrow the special null device file from selinux to "close" fds that
don't have sufficient permissions at exec time.
Signed-off-by: John Johansen <[email protected]>
|
|
Commit 9f834ec18def ("binfmt_elf: switch to new creds when switching to new mm")
changed when the creds are installed by the binfmt_elf handler. This
affects which creds are used to mmap the executable into the address
space. Which can have an affect on apparmor policy.
Add a flag to apparmor at
/sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap
to make it possible to detect this semantic change so that the userspace
tools and the regression test suite can correctly deal with the change.
BugLink: http://bugs.launchpad.net/bugs/1630069
Signed-off-by: John Johansen <[email protected]>
|
|
Instead of testing whether a given dfa exists in every code path, have
a default null dfa that is used when loaded policy doesn't provide a
dfa.
This will let us get rid of special casing and avoid dereference bugs
when special casing is missed.
Signed-off-by: John Johansen <[email protected]>
|
|
Newer policy will combine the file and policydb dfas, allowing for
better optimizations. However to support older policy we need to
keep the ability to address the "file" dfa separately. So dup
the policydb as if it is the file dfa and set the appropriate start
state.
Signed-off-by: John Johansen <[email protected]>
|
|
The dfa is currently setup to be shared (has the basis of refcounting)
but currently can't be because the count can't be increased.
Signed-off-by: John Johansen <[email protected]>
|
|
Newer policy encodes more than just version in the version tag,
so add masking to make sure the comparison remains correct.
Note: this is fully compatible with older policy as it will never set
the bits being masked out.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Policy should always under go a full paranoid verification.
Signed-off-by: John Johansen <[email protected]>
|
|
When possible its better to name a learning profile after the missing
profile in question. This allows for both more informative names and
for profile reuse.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
prepare_ns() will need to be called from alternate views, and namespaces
will need to be created via different interfaces. So refactor and
allow specifying the view ns.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Rename to the shorter and more familiar shell cmd name
Signed-off-by: John Johansen <[email protected]>
|
|
Rename to indicate the test is only about whether path mediation is used,
not whether other types of mediation might be used.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Proxy is shorter and a better fit than replaceby, so rename it.
Signed-off-by: John Johansen <[email protected]>
|
|
Invalid does not convey the meaning of the flag anymore so rename it.
Signed-off-by: John Johansen <[email protected]>
|
|
Move to common terminology with other LSMs and kernel infrastucture
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Policy namespaces will be diverging from profile management and
expanding so put it in its own file.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Prepare to mark sensitive kernel structures for randomization by making
sure they're using designated initializers. These were identified during
allyesconfig builds of x86, arm, and arm64, with most initializer fixes
extracted from grsecurity.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
Calling kmalloc(GFP_NOIO) with order == PAGE_ALLOC_COSTLY_ORDER is not
recommended because it might fall into infinite retry loop without
invoking the OOM killer.
Since aa_dfa_unpack() is the only caller of kvzalloc() and
aa_dfa_unpack() which is calling kvzalloc() via unpack_table() is
doing kzalloc(GFP_KERNEL), it is safe to use GFP_KERNEL from
__aa_kvmalloc().
Since aa_simple_write_to_buffer() is the only caller of kvmalloc()
and aa_simple_write_to_buffer() is calling copy_from_user() which
is GFP_KERNEL context (see memdup_user_nul()), it is safe to use
GFP_KERNEL from __aa_kvmalloc().
Therefore, replace GFP_NOIO with GFP_KERNEL. Also, since we have
vmalloc() fallback, add __GFP_NORETRY so that we don't invoke the OOM
killer by kmalloc(GFP_KERNEL) with order == PAGE_ALLOC_COSTLY_ORDER.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
For some obscure reason apparmor thinks its needs to locally implement
kref primitives that already exist. Stop doing this.
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Paul E. McKenney <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Signed-off-by: Ingo Molnar <[email protected]>
|
|
As reported by yangshukui, a permission denial from security_task_wait()
can lead to a soft lockup in zap_pid_ns_processes() since it only expects
sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can
in general lead to zombies; in the absence of some way to automatically
reparent a child process upon a denial, the hook is not useful. Remove
the security hook and its implementations in SELinux and Smack. Smack
already removed its check from its hook.
Reported-by: yangshukui <[email protected]>
Signed-off-by: Stephen Smalley <[email protected]>
Acked-by: Casey Schaufler <[email protected]>
Acked-by: Oleg Nesterov <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
|
|
Several of the extended socket classes introduced by
commit da69a5306ab92e07 ("selinux: support distinctions
among all network address families") are never used because
sockets can never be created with the associated address family.
Remove these unused socket security classes. The removed classes
are bridge_socket for PF_BRIDGE, ib_socket for PF_IB, and mpls_socket
for PF_MPLS.
Signed-off-by: Stephen Smalley <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
|
|
The access to fd from anon_inode is always failed because there is
no set xattr operations. So this patch fixes to ignore private
inode including anon_inode for file functions.
It was only ignored for smack_file_receive() to share dma-buf fd,
but dma-buf has other functions like ioctl and mmap.
Reference: https://lkml.org/lkml/2015/4/17/16
Signed-off-by: Seung-Woo Kim <[email protected]>
Signed-off-by: Casey Schaufler <[email protected]>
|
|
Since 4b936885a (v2.6.32) all inodes on sockfs and pipefs are disconnected.
It caused filesystem specific code in smack_d_instantiate to be skipped,
because all inodes on those pseudo filesystems were treated as root inodes.
As a result all sockfs inodes had the Smack label set to floor.
In most cases access checks for sockets use socket_smack data so the inode
label is not important. But there are special cases that were broken.
One example would be calling fcntl with F_SETOWN command on a socket fd.
Now smack_d_instantiate expects all pipefs and sockfs inodes to be
disconnected and has the logic in appropriate place.
Signed-off-by: Rafal Krypa <[email protected]>
Signed-off-by: Casey Schaufler <[email protected]>
|